Todd Plesco is the Chief Information Security Officer of PrescribeWellness. PrescribeWellness's cloud-based platform is used by pharmacies and other healthcare professionals to provide more effective, preventive healthcare services, which improve medication adherence, chronic disease management, transitions in care, and population health.
Mr. Plesco is responsible for developing and executing cyber security strategy and leading teams focused on risk management, security engineering, application security, cyber security operations and policy, and company-wide cyber security resiliency. His mission promotes a vigilant culture which places a high value on the protection of privacy and security for information resources and protection of personal health information entrusted to PrescribeWellness.
All too often, I hear colleagues wax poetic on the disdain their directors and managers have towards the mission of cyber security. I'm always eager to provide some sage couples counseling wisdom toward these difficult relationships between CISOs and their colleagues.
Someone once said that Fear, Uncertainty, and Doubt (FUD) will get you, at best, one to two weeks of hypervigilance and funding until the fizz goes out of the soda pop. To change culture, you need to make things happen differently. Acceptance of a new culture and aligning its features into that which already exists sometimes requires the act of befriending fear. The average human response toward whether one accepts change is "loss aversion," where there is a willingness to lose rather than accept change. The excitement of FUD should be embraced. To accommodate this, communicate with the company in all settings on the latest and greatest trivial items of cyber and how intriguing it is.
Cyber security is a fun realm to work within. When the dark clouds approach, you should be able to laugh at yourself and your situation. Cyber security is not for the weak at heart nor for those with an unending yearning for appreciation. If you don't like your job, then you will dread doing it. You get one life; get busy living it and laugh with the challenges.
Imagine what your new company security-minded culture should look like and do it. Educate yourself on how to get there, surround yourself with cyber security optimists, then dive in head first with a renewed vigor and enthusiasm not seen by many. Surprise yourself with your creativity in educating the workforce. With today's connected world, there is very little room to make excuses about why you were not able to convey a message.
Focus your conversations with employees on why you want to be the top in cyber security rather than on the excuses about why it is so hard to do. Get specific and include emotional and energetic reasons: "For me, it is personal. Privacy is the what and cyber security is the how."
It's not This or That. It is This and That. The importance and priorities should not dictate that your sole focus and strategy should be affixed to only one thing. Make cyber security one of the several key strategies in your company. Compliance, industry standard, company reputation, efficiency and practice, and many other value adds are key success drivers for every company that relies upon data integrity.
Too many are in the CYA business rather than the FTW marathon. See the dreams and go for them; don't see the demons to hide from them. There are so many reasons to be the best with information assurance and information security. You can either be concerned with the adversarial aspects or the creation of solutions. Either way, you will find what you are looking for.
Appreciate your friendship with cyber security. Share it with others. Introduce your friend often. Tell stories about how good your friend is. Be glad when your friend becomes very popular.
A quick way to shut down a conversation is to say, "I know this (already)." That is not very appealing. Instead, try, "Tell me more" or, "This is good information, I want to learn." Sometimes, instead of throwing up walls by being the expert you may find that admitting you have a problem is the first step to enlightenment.
Learn to appreciate your gaps, threats, and vulnerabilities. Your thankfulness for these risks will foster your patience for designing the controls that can address them. Risks are a gift—embrace them.
Give your colleagues credit but always get it in writing. Never assume everyone understands, so ensure they do and document everyone's training at least annually. Most importantly, seek critiques, criticisms, and comments at all possible opportunities.
Your love for cyber security will be much more productive as you make mistakes and grow.
To read more from Todd Plesco, please visit Information Security Pro at http://www.infosecurity.pro/.
MODIFIED: Jul 18, 2017